Who "Owns" Your Fingerprints?

J. Bradley Klepper
Attorney at Law

As you may have figured out through reading these articles, I am not a big social media guy. Sure, I write these articles and I am on LinkedIn and my business has a Facebook page and the other things, but not me.

My goal is to have zero personal information on the internet. I am losing this battle I know but I am trying. In fact, my entire social media presence, or lack thereof, is based on a few assumptions.

First, nobody in the world cares or wants to see pictures of my family, my dogs, or what I ate for dinner last night. Nobody. Moreover, if we really wanted to stay in contact after grade school, middle school or high school…...we would have, looking at your Facebook (or Meta).

Second, my sense of humor is a tad bit warped and can be more than a little dark. So the chance of me posting something in under 150 characters that could offend the entire world is real and would likely occur. In fact, I would set the over/under at this occurring at three posts. Accordingly, Twitter is out of the picture.

Third, the thought of creating a video story, or posting pictures and other images on Instagram, Tik Tok, or any other app just sounds exhausting. I like to lie to myself and say I work hard at my job and at the end of the day, I just want to spend time with my family and dogs and relax. Creating something for an app just does not appeal to me and I am amazed at the time people have to devote to this endeavor.

So, we have basically established that I am a social media curmudgeon. And I am cool with that. I don’t want an internet presence and I definitely don’t want anyone to track me or use my personal information.

Well, as I was surfing the internet the other day, I ran across an article about a company misusing a person’s biometric data. As I am obviously a big privacy guy and don’t want any internet presence, this intrigued me.

As background, biometric information is data based upon things such as your fingerprints, a retina scan, voice print, hand scan, or facial scanning. Now that you know what biometric information includes think of how often you use it. Off the top of my head, my phone recognizes both my face and fingerprint to unlock it and I have at least a half dozen apps that use my thumbprint as my sign-on.

The more I thought about it the more I wondered, what, if any, laws exist to protect all this information companies have acquired about me. Well, the good news is that five states have some type of Biometric Privacy Laws already on the books. The better news is that the majority of the remaining states have pending legislation to address this issue.

In 2008, Illinois became the first state to enact a Biometric Information Privacy Act (“BIPA”) to govern the collection, use, handling, storage, retention, and destruction of biometric data by businesses. In short, the Illinois version of BIPA covers any biometric data regardless of how it is captured. So, your fingerprint used to open an app or your facial used to unlock your phone are covered but it also includes publicly available information about an individual. This would include taking pictures of people in public or even gathering info from a public photograph.

In addition, BIPA applies regardless of how the information is converted or stored. For what it is worth, most fingerprints scans are converted to an algorithm. This algorithm can’t be reversed engineered to recreate the fingerprint. So even if there is no risk of harm to the individual the business can still be liable for statutory damages based on their use of the information.

Ok, so we know some states have statutes in place to protect the use of biometric data but how can companies use this without running afoul of the law. Generally, there are four things a business must do to be in compliance.

First, before collecting any biometric data a business must have a written policy in place that covers, among other things, the retention period and guidelines for destruction of such information. This policy must be publicly available.

Second, a business must provide you written notice that the information is being collected and provide the reason for the collection, describe the length of time that the information will be stored, used, etc. This is often found in the “terms of use” that you must acknowledge before you get to use an app. I know…...I don’t read those things either.

Third, a business must take steps to ensure the security of the information collected. It should also regularly review the need to retain such information and endure that it is deleted when it is no longer required.

Finally, generally speaking, a business may not disclose any information to a third party without express permission. Of course, a business may disclose parties with whom the information may be shared at the point of collection. Remember the “Terms of Use” agreement. Yeah, look in there.

Now, what if the business violates BIPA. Well, in Illinois the base statutory damages start at $1,000.00 per violation and increase to $5,000.00 for intention or reckless violation.

Well, what is the big deal you may ask. My fingerprint or retina scan is not that big a deal. I would disagree.

Your biometric data is yours and yours alone. While I enjoy the convenience of being able to login into apps and my phone with this information, I do not want it to be sold or used for commercial purposes without my consent. Moreover, this information can be used to track and monitor people without their consent. As I mentioned earlier, I don’t even want to have a social media presence much less have companies tracking my movements through facial recognition software, fingerprints, or voiceprints. This type of information is ripe for misuse. As a result, I think it is important that the states adopt some type of biometric information privacy legislation as soon as possible.

Brad Klepper, Esq. is President of Interstate Trucker Ltd., a law firm entirely dedicated to legal defense of the nation's commercial drivers. Interstate Trucker represents truck drivers throughout the forty-eight (48) states on both moving and non-moving violations. Brad is also Executive Vice President & General Counsel of Drivers Legal Plan, which allows member drivers access to his firm’s services at greatly discounted rates. Brad spent almost a decade with the largest law firm in Oklahoma where his practice included extensive experience in transactional law, business defense litigation, and intellectual property. In addition, Brad is a licensed architect and serves as General Counsel to the Oklahoma Board of Architects, Landscape Architects and Interior Designers. Brad has dedicated much of his time to DataQs challenges, which are challenges posed to the FMCSA for CSA incidents, to examine data and reports filed by law enforcement.

800-333-DRIVE (3748) or www.interstatetrucker.com and www.driverslegalplan.com